forked from microsoft/azurelinux
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathCVE-2026-40385.patch
More file actions
33 lines (26 loc) · 1.26 KB
/
CVE-2026-40385.patch
File metadata and controls
33 lines (26 loc) · 1.26 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
From 4c475dc4c9020995382e342b24005330bcbcd1ef Mon Sep 17 00:00:00 2001
From: Marcus Meissner <meissner@suse.de>
Date: Fri, 3 Apr 2026 11:18:47 +0200
Subject: [PATCH] Avoid overflow on 32bit system when reading Nikon MakerNotes
The addition o2 = datao + exif_get_long(buf + o2, n->order)
could have overflowed on systems with 32bit unsigned int size_t.
This could have caused out of bound reads of data, leading to
misparsing of exif / crashes.
Reported-By: Kerwin <kerwinxia66001@gmail.com>
Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Upstream-reference: https://github.com/libexif/libexif/commit/93003b93e50b3d259bd2227d8775b73a53c35d58.patch
---
libexif/olympus/exif-mnote-data-olympus.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/libexif/olympus/exif-mnote-data-olympus.c b/libexif/olympus/exif-mnote-data-olympus.c
index 6067b9e..bdeb5a9 100644
--- a/libexif/olympus/exif-mnote-data-olympus.c
+++ b/libexif/olympus/exif-mnote-data-olympus.c
@@ -382,6 +382,7 @@ exif_mnote_data_olympus_load (ExifMnoteData *en,
o2 += 2;
/* Go to where the number of entries is. */
+ if (CHECKOVERFLOW(o2,buf_size,exif_get_long (buf + o2, n->order))) return;
o2 = datao + exif_get_long (buf + o2, n->order);
break;
--
2.45.4